A massive vulnerability discovered in WhatsApp earlier this month made the Facebook-owned messaging platform vulnerable to an infamous form of malware oppressive regimes often use to snoop around their targets and compromise them in a variety of ways.
The company confirmed the development this week, adding that the issue has been patched. The discovered attack vector is technically a buffer overflow vulnerability affecting the app’s voice-over-IP (VOIP) protocols. In practice, it allowed attackers to remotely force code execution on target devices by sending them custom SRTCP packets via WhatsApp. While the design weakness may be niche in nature, its requirements aren’t particularly difficult to fulfill and anyone with any knowledge of the vulnerability was likely ale to exploit it consistently for years.
Knowing the target’s phone number and the fact they use WhatsApp is everything required for them to be identified as a potential recipient of corrupted wireless packets capable of triggering remote code executions.
(No) security through obscurity
While the exploit is patched as of right now, the episode as a whole serves as yet another example of why the “security through obscurity” mantra never works in the long run. Namely, neither Facebook nor its subsidiary are saying what the exact exploit was or how many users are estimated to have beeen targeted by technique relying on the newly reported security oversight. The company only stated it doesn’t believe the number of WhatsApp users potentially compromised through the vulnerabiltiy is extremely small as the attack vector in question is rather demanding to pursue and would require both a dedicated team and proper deployment infrastructure.
Yet the malware that first gave away the existence of the cybersecurity weakness suggests highly motivated and well-funded attackers are behind the exploit in the first place; the so-called Pegasus software is notorious for its widespread use by oppressive regimes, having already generated massive heat for the NSO Group, a Israeli company that created it.
The severity and complex nature of the vulnearbility are further illustrated by the fact Facebook and WhatsApp’s security teams needed ten full days to sufficiently address the issue, i.e. plug the attack vector for good. Less hazardous security problems are ususally addressed in a matter of hours, yet the one that allowed Pegasus to be remotely deployed even required some infrastructural changes on WhatsApp’s part, though the firm declined to clarify on the matter, i.e. explain what exactly did it have to do to combat the issue at hand.
The backend patch that went out in theory protects all versions of WhatsApp against Pegasus and similar spyware reliant on the same VOIP exploit, even if they aren’t fully up-to-date. Naturally, it’s still recommended you ensure you’re running the very latest version of the messaging app so as to minimize the chances of being compromised by malicious third parties.
The Facebook unit already notified the U.S. Department of Justice about the development, i.e. the fact an Israeli firm known for collaborating with various governments on controversial spying initiatives might have been selling an exploit of its app protocols for at least months, if not years.